Sunday, 25 July 2010

passive recon on valued targets

So there was a bit of a flash in the pan recently, when my post on a simple autorun virus exploded after I notified Patrick Gray of the Risky business podcast and he blogged it, and then zdnet, Lifehacker and Slashdot (queue O'Fortuna) picked it up. I am now even listening to the risky business podcast where I get a mention.
Needless to say I got a lot of traffic (not a tonne, maybe the Slashdot effect is waning). A majority came from home users, interestingly a few had Firefox with java turned off, these showed up in extremetracker (used them for a while, and they still have some value obviously). Those that didn't showed up in Google analytics.
I am a big fan of no-script, so it seems I am not alone.
Before I get on to my main point I feel I need to argue some points.
First Lifehacker seemed to allude to the USB key either being infected from my home system or in some other way. This is simply untrue. This is a windows virus, thus a windows binary, simply won't run on Linux so no way to get infected there, and that was the last system it was plugged into and everything on it deleted to make way for the small collection of photos. The other point is the investigation I did, our receipt showed a time of 2:35pm (already gave the Job number to BigW for their investigation team), the virus folders creation time (and the files inside) was 2:24pm on the same day as the receipt.
On to the main point.
Of the total ~2000 hits, there were some interesting and funny hits. There was the obligatory hits from Woolworths, BigW’s parent company, then funny from Coles (there biggest competitor) and Kodak (the kiosks are Fujifilm). Then came the interesting, obviously driven from the Slashdot post. Some hits from government organisations, some from big military complexes and security agencies the world over.
The point of this post is to point out what kind of information these different public and private companies exposed. Obviously first off the bat, and something I thought of but my Boss put eloquently into words “Why do so many of these organisations have such telling reverse DNS records or ip block records”, why indeed. I am not going to name names, but using the ones I have already named. Woolworths, their block was registered to Woolworths Limited.
The next point that concerns me more is the other data that leaked out, I have their external IP, ok that’s not really much, but their browser version (a lot of IE6 out there people have you learned nothing from the Google breach), their connection speed, OS, etc etc. This could lead to someone simply writing a decent tech article, getting Slashdotted, then getting a list of targets stream in, do a bit of Google digging find an employee in said companies email address/linked-in/Facebook and send them an email to a follow up post with a nice 0-day with remote code to install your custom malware, some good reconnaissance on the most valuable (techies) targets. Usually you can assume the techies are running the latest software in the company, so if you see ie6 you have hit pay dirt, if you see Mozilla 1.0 woo. You can even look for outdated OSes with un-patched vulnerabilities; there were a couple Windows98, Windows2000. Oh and to that 0S2/warp4 user that hit the site (if it wasn’t forged) both my apologies and respect...
So from this I would think maybe everyone should change their proxies to use a different IP out of their block that is not registered to their company name, no reverse DNS, and you know update your browser and OS once in a while, or change what your browser reports itself as to a different browser.